Cyber Security Policy

Our cyber security policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure.

The more we rely on technology to collect, store, and manage information, the more vulnerable we become too severe security breaches. Human errors, hacker attacks, and system malfunctions could cause significant financial damage and may jeopardize our company’s reputation.

For this reason, we have implemented several security measures and prepared instructions that may help mitigate security risks. We have outlined both provisions in this policy.

This policy applies to all our employees, contractors, volunteers, and anyone with permanent or temporary access to our systems and hardware.

Confidential data is secret and valuable. Common examples are:

• Unpublished financial information
• Data of customers/partners/vendors
• Patents, formulas, or new technologies
• Customer lists (existing and prospective)
• Protected Health Information (PHI)

All employees are obliged to protect this data. This policy will give our employees instructions on how to avoid security breaches.

Employees who use their digital devices to access company emails or accounts introduce security risks to our data. We advise our employees to secure their personal and company-issued computers, tablets, and cell phones. They can do this if they:

• Keep all devices password-protected.

• Choose and upgrade a complete antivirus software.

• Ensure they do not leave their devices exposed or unattended.

• Install security updates of browsers and systems monthly or as soon as updates are available.

• Log into company accounts and systems through secure and private networks only.

We also advise our employees to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others.

When new hires receive company-issued equipment, they will receive the following devices with:

• Disk encryption setup

• Password policies setup

• Installation of antivirus/ anti-malware software

They should follow instructions to protect their devices and refer to our Security Specialists/ Network Engineers if they have any questions.

Emails often host scams and malicious software (e.g., worms.) To avoid virus infection or data theft, we instruct employees to:

• Avoid opening attachments and clicking on links when the content is not adequately explained (e.g., “watch this video; it’s amazing.”)

• Be suspicious of clickbait titles (e.g., offering prizes and advice).

• Check the email and names of people they received a message from to ensure they are legitimate.

• Look for inconsistencies or giveaways (e.g., grammar mistakes, capital letters, excessive exclamation marks.)

If an employee is unsure whether an email they received is safe, they can contact our IT Specialists.

Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we advise our employees to:

• Choose passwords with at least eight characters (including capital and lower-case letters, numbers, and symbols) and avoid information that can be easily guessed (e.g., birthdays.)

• Remember passwords instead of writing them down. Employees should keep their passwords private.
• Exchange credentials only when necessary. When exchanging them in person isn’t possible, employees should prefer the phone to email, and only if they recognize the person they are talking to.

• Change their passwords every three months (90 days).

Transferring data introduces a security risk. Employees must:

• Avoid transferring sensitive data (e.g., customer information, PHI, employee records) to other devices or accounts unless necessary. When mass transfer of such data is needed, we request employees to ask our Security Specialists for help.

• Share confidential data over the company network/ system, not public Wi-Fi or private connection.

• Ensure that the data recipients are properly authorized people or organizations and have adequate security policies.

• Report scams, privacy breaches, and hacking attempts

Our IT Specialists/ Network Engineers must be aware of scams, breaches, and malware to better protect our infrastructure. For this reason, we advise our employees to report perceived attacks, suspicious emails, or phishing attempts to our specialists as soon as possible. Our specialists must investigate promptly, resolve the issue, and send a companywide alert when necessary.

Our Security Specialists advise employees on how to detect scam emails. We encourage our employees to contact them with any questions or concerns.

To reduce the likelihood of security breaches, we also instruct our employees to:

• Turn off their screens and lock their devices when leaving their desks.

• Report stolen or damaged equipment to the HR/ IT Department immediately.

• Change all account passwords at once when a device is stolen.

• Report a perceived threat or possible security weakness in company systems.

• Refrain from downloading suspicious, unauthorized, or illegal software on their company equipment.

• Avoid accessing suspicious websites.

We expect our employees to comply with our social media and internet usage policy.

Our Security Specialists/ Network Administrators should:

• Install firewalls, anti-malware software, and access authentication systems.
• Inform employees regularly about new scam emails or viruses and ways to combat them.
• Investigate security breaches thoroughly.
• Follow this policy’s provisions as other employees do.

Our company will have all physical and digital shields to protect information.

Remote employees must also follow this policy’s instructions. Since they will be accessing our company’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards, and settings and ensure their private network is secure.

We encourage them to seek advice from our Security Specialists/ IT Administrators.

We expect all our employees always to follow this policy, and those who cause security breaches may face disciplinary action:

• First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the employee on security.
• Intentional, repeated, or large-scale breaches (which cause severe financial or other damage): We will invoke more severe disciplinary action up to and including termination.
  We will examine each incident on a case-by-case basis.

Additionally, employees who are observed to disregard our security instructions will face progressive discipline, even if their behavior hasn’t resulted in a security breach.

Everyone, from customers and partners to employees and contractors, should feel that their data is safe. The only way to gain their trust is to protect our systems and databases proactively. We can all contribute to this by being vigilant and keeping cyber security in mind.